Comment: A few commenters requested an exemption from the rule for the Social Security and Supplemental Security Income Disability Programs so that disability claimants can be served in a fair and timely manner. The commenters were concerned that the proposal would be narrowly interpreted, thereby impeding the release of medical records for the purposes of Social Security disability programs.

Another commenter similarly asked that a special provision be added to the proposal's general rule for uses and disclosures without authorization for treatment, payment, and health care operations purposes to authorize disclosure of all medical information from all sources to the Social Security Administration, including their contracted state agencies handling disability determinations.

Response: A complete exemption for disclosures for these programs is not necessary. Under current practice, the Social Security Administration obtains authorization from applicants for providers to release an individual's records to SSA for disability and other determinations. Thus, there is no reason to believe that an exemption from the authorization required by this rule is needed to allow these programs to function effectively. Further, such an exemption would reduce privacy protections from current levels. When this rule goes into effect, those authorizations will need to meet the requirements for authorization under § 164.508 of this rule.

We do, however, modify other provisions of the proposed rule to accommodate the special requirements of these programs. In particular, Social Security Disability and other federal programs, and public benefits programs run by the states, are authorized by law to share information for eligibility purposes. Where another public body has determined that the appropriate balance between need for efficient administration of public programs and public funds and individuals' privacy interests is to allow information sharing for these limited purposes, we do not upset that determination. Where the sharing of enrollment and eligibility information is required or expressly authorized by law, this rule permits such sharing of information for eligibility and enrollment purposes (see § 164.512(k)(6)(i)), and also excepts these arrangements from the requirements for business associate agreements (see § 164.502(e)(1)).

Comment: A few commenters asked that the rule be revised to authorize disclosures to clergy, for directory purposes, to organ and tissue procurement organizations, and to the American Red Cross without patient authorization.

Response: We agree and revise the final rule accordingly. The new policies and the rationale for these policies are found in §§ 164.510 and 164.512, and the corresponding preamble.

Comment: One commenter recommended that the rule apply only to the "disclosure" of protected health information by covered entities, rather than to both "use" and "disclosure." The commenter stated that the application of the regulation to a covered entity's use of individually identifiable health information offers little benefit in terms of protecting protected health information, yet imposes costs and may hamper many legitimate activities, that fall outside the definition of treatment, payment or health care operations.

Another commenter similarly urged that the final regulation draw substantive distinctions between restrictions on the "use" of individually identifiable health information and on the "disclosure" of such information, with broader latitude for "uses" of such information. The commenter believed that internal "uses" of such information generally do not raise the same issues and concerns that a disclosure of that information might raise. It was argued that any concerns about the potential breadth of use of this information could be addressed through application of the "minimum necessary" standard. The commenter also argued that Congressional intent was that a "disclosure" of individually identifiable health information is potentially much more significant than a "use" of that information.

Response: We do not accept the commenter's broad recommendation to apply the regulation only to the "disclosure" of protected health information and not to "use" of such information. Section 264 charges the Secretary with promulgating standards that address, among other things, "the uses and disclosures" of individually identifiable health information. We also do not agree that applying the regulation to "use" offers little benefit to protecting protected health information. The potential exists for misuse of protected health information within entities. This potential is even greater when the covered entity also provides services or products outside its role as a health care provider, health plan, or health care clearinghouse for which "use" of protected health information offers economic benefit to the entity. For example, if this rule did not limit "uses" generally to treatment, payment and health care operations, a covered entity that also offered financial services could be able to use protected health information without authorization to market or make coverage or rate decisions for its financial services products. Without the minimum necessary standard for uses, a hospital would not be constrained from allowing their appointment scheduling clerks free access to medical records.

We agree, however, that it is appropriate to apply somewhat different requirements to uses and disclosures of protected health information permitted by this rule. We therefore modify the application of the minimum necessary standard to accomplish this. See the preamble to § 164.514 for a discussion of these changes.

Comment: A commenter argued that the development, implementation, and use of integrated computer-based patient medical record systems, which requires efficient information sharing, will likely be impeded by regulatory restrictions on the "use" of protected health information and by the minimum necessary standard.

Response: We have modified the proposed approach to regulating "uses" of protected health information within an entity, and believe our policy is compatible with the development and implementation of computer-based medical record systems. In fact, we drew part of the revised policy on "minimum necessary" use of protected health information from the role-based access approach used in several computer-based records systems today. These policies are described further in§ 164.514.

Comment: One commenter asked that the general rules for uses and disclosures be amended to permit covered entities to disclose protected health information for purposes relating to property and casualty benefits. The commenter argued that the proposal could affect its ability to obtain protected health information from covered entities, thereby constricting the flow of medical information needed to administer property and casualty benefits, particularly in the workers' compensation context. It was stated that this could seriously impede property and casualty benefit providers' ability to conduct business in accordance with state law.

Response: We disagree that the rule should be expanded to permit all uses and disclosures that relate to property and casualty benefits. Such a broad provision is not in keeping with protecting the privacy of individuals. Although we generally lack the authority under HIPAA to regulate the practices of this industry, the final rule addresses when covered entities may disclose protected health information to property and casualty insures. We believe that the final rule permits property and casualty insurers to obtain the protected health information that they need to maintain their promises to their policyholders. For example, the rule permits a covered entity to use or disclose protected health information relating to an individual when authorized by the individual. Property and casualty insurers are free to obtain authorizations from individuals for release by covered entities of the health information that the insurers need to administer claims, and this rule does not affect their ability to condition payment on obtaining such an authorization from insured individuals. Property and casualty insurers providing payment on a third-party basis have an opportunity to obtain authorization from the individual and to condition payment on obtaining such authorization. The final rule also permits covered entities to make disclosures to obtain payment, whether from a health plan or from another person such as a property and casualty insurer. For example, where an automobile insurer is paying for medical benefits on a first-party basis, a health care provider may disclose protected health information to the insurer as part of a request for payment. We also include in the final rule a new provision that permits covered entities to use or disclose protected health information as authorized by workers' compensation or similar programs established by law addressing work-related injuries or illness. See § 164.512(l). These statutory programs establish channels of information sharing that are necessary to permit compensation of injured workers.

Comment: A few commenters suggested that the Department specify "prohibited" uses and disclosures rather than "permitted" uses and disclosures.

Response: We reject these commenters' because we believe that the best privacy protection in most instances is to require the individual's authorization for use or disclosure of information, and that the role of this rule is to specify those uses and disclosures for which the balance between the individuals' privacy interest and the public's interests dictates a different approach. The opposite approach would require us to anticipate the much larger set of all possible uses of information that do not implicate the public's interest, rather than to specify the public interests that merit regulatory protection.

Comment: A commenter recommended that the rule be revised to more strongly discourage the use of individually identifiable health information where de-identified information could be used.

Response: We agree that the use of de-identified information wherever possible is good privacy practice. We believe that by requiring covered entities to implement these privacy restrictions only with respect to individually identifiable health information, the final rule strongly encourages covered entities to use de-identified information as much as practicable.

Comment: One commenter recommended that when information from health records is provided to authorized external users, this information should be accompanied by a statement prohibiting use of the information for other than the stated purpose; prohibiting disclosure by the recipient to any other party without written authorization from the patient, or the patient's legal representative, unless such information is urgently needed for the patient's continuing care or otherwise required by law; and requiring destruction of the information after the stated need has been fulfilled.

Response: We agree that restricting other uses or re-disclosure of protected health information by a third party that may receive the information for treatment, payment, and health care operations purposes or other purposes permitted by rule would be ideal with regard to privacy protection. However, as described elsewhere in this preamble, once protected health information leaves a covered entity the Department no longer has jurisdiction under the statute to apply protections to the information. Since we would have no enforcement authority, the costs and burdens of requiring covered entities to produce and distribute such a statement to all recipients of protected heath information, including those with whom the covered entity has no on-going relationship, would outweigh any benefits to be gained from such a policy. Similarly, where protected health information is disclosed for routine treatment, payment and operations purposes, the sheer volume of these disclosures makes the burden of providing such a statement unacceptable. Appropriate protection for these disclosures requires law or regulation directly applicable to the recipient of the information, not further burden on the disclosing entity. Where, however, the recipient of protected health information is providing a service to or on behalf of the covered entity this balance changes. It is consistent with long-standing legal principles to hold the covered entity to a higher degree of responsibility for the actions of its agents and contractors. See § 164.504 for a discussion of the responsibilities of covered entities for the actions of their business associates with respect to protected health information.

Comment: Most commenters on this topic generally did not approve of the Secretary's proposal with regard to protected health information about deceased individuals. The majority of these commenters argued that our proposal was not sufficiently protective of such information. Commenters agreed with the statements made in the preamble to the proposed rule that the privacy concerns addressed by this policy are not limited to the confidential protection of the deceased individual but instead also affects the decedent's family, as genetic information and information pertinent to hereditary diseases and risk factors for surviving relatives and direct family members may be disclosed through the disclosure of the deceased individual's confidential data. It was argued that the proposal would be inadequate to protect the survivors who could be negatively affected and in most cases will outlive the two-year period of protection. A number of medical associations asserted that individuals may avoid genetic testing, diagnoses, and treatment and suppress information important to their health care if they fear family members will suffer discrimination from the release of their medical information after their death. One commenter pointed out that ethically little distinction can be made between protecting an individual's health information during life and protecting it post-mortem. Further, it was argued that the privacy of the deceased individual and his or her family is far more important than allowing genetic information to be abstracted by an institutional or commercial collector of information. A few commenters asked that we provide indefinite protection on the protected health information about a deceased person contained in psychotherapy notes. One commenter asked that we extend protections on records of children who have died of cancer for the lifetime of a deceased child's siblings and parents.

The majority of commenters who supported increased protections on the protected health information about the deceased asked that we extend protections on such information indefinitely or for as long as the covered entity maintains the information. It was also argued that the administrative burden of perpetual protection would be no more burdensome than it is now as current practice is that the confidentiality of identifiable patient information continues after death. A number of others pointed out that there was no reason to set a different privacy standard for deceased individuals than we had for living individuals and that it has been standard practice to release the information of deceased individuals with a valid consent of the executor, next of kin, or specific court order. In addition, commenters referenced Hawaii's health care information privacy law (see Haw. Rev. Stat. section 323C-43) as at least one example of a state law where the privacy and access provisions of the law continue to apply to the protected health information of a deceased individual following the death of that individual.

Response: We find the arguments raised by these commenters persuasive. We have reconsidered our position and believe these arguments for maintaining privacy on protected health information without temporal limitations outweigh any administrative burdens associated with maintaining such protections. As such, in the final rule we revise our policy to extend protections on the protected health information about a deceased individual to remain in effect for as long as the covered entity maintains the information.

For purposes of this regulation, this means that, except for uses and disclosures for research purposes (see § 164.512(i)), covered entities must under this rule protect the protected health information about a deceased individual in the same manner and to the same extent as required for the protected health information of living individuals. This policy alleviates the burden on the covered entity from having to determine whether or not the person has died and if so, how long ago, when determining whether or not the information can be released.

Comment: One commenter asked us to delete our standard for deceased individuals, asserting that the deceased have no constitutional right to privacy and state laws are sufficient to maintain protections for protected health information about deceased individuals.

Response: We understand that traditional privacy law has historically stripped privacy protection on information at the time the subject of the information dies. However, as we pointed out in the preamble to the proposed rule, the dramatic proliferation of electronic-based interchanges and maintenance of information has enabled easier and more ready access to information that once may have been de facto protected for most people because of the difficulty of its collection and aggregation. It is also our understanding that current state laws vary widely with regard to the privacy protection of a deceased individual's individually identifiable health information. Some are less protective than others and may not take into account the implications of disclosure of genetic and hereditary information on living individuals. For these reasons, a regulatory standard is needed here in order to adequately protect the privacy interests of those who are living.

Comment: Another commenter expressed concern over the administrative problems that the proposed standard would impose, particularly in the field of retrospective health research.

Response: For certain research purposes, we permit a covered entity to use and disclose the protected health information of a deceased individual without authorization by a personal representative and absent review by an IRB or privacy board. The verification standard (§ 164.514(h)) requires that covered entities obtain an oral or written representation that the protected health information sought will be used or disclosed solely for research, and § 164.512(i)(1)(iii) requires the covered entity to obtain from the researcher documentation of the death of the individual. We believe the burden on the covered entity will be small, because it can reasonably rely on the representation of purpose and documentation of death presented by the researcher.

Comment: A few commenters argued that the standard in the proposed rule would cause significant administrative burdens on their record retention and storage policies. Commenters explained that they have internal policy record-retention guidelines which do not envision the retention of records beyond a few years. Some commenters complained about the burden of having to track dates of death, as the commenters are not routinely notified when an individual has died.

Response: The final rule does not dictate any record retention requirements for the records of deceased individuals. Since we have modified the NPRM to cover protected health information about deceased individuals for as long as the covered entity maintains the information, there will be no need for the covered entity to track dates of death.

Comment: A few commenters voiced support for the approach proposed in the proposal to maintain protections for a period of two years.

Response: After consideration of public comments, we chose not to retain this approach because the two-year period would be both inadequate and arbitrary. As discussed above, we agree with commenter arguments in support of providing indefinite protection.

Comment: A few commenters expressed concern that the regulations may be interpreted as providing a right of access to a deceased's records only for a two-year period after death. They asked the Department to clarify that the right of access of an individual, including the representatives of a deceased individual, exists for the entire period the information is held by a covered entity.

Response: We agree with these comments, given the change in policy discussed above.

Comment: A few commenters suggested that privacy protections on protected health information about deceased individuals remain in effect for a specified time period longer than 2 years, arguing that two years was not long enough to protect the privacy rights of living individuals. These commenters, however, were not in agreement as to what other period of protection should be imposed, suggesting various durations from 5 to 20 years.

Response: We chose not to extend protections in this way because specifying another time period would raise many of the same concerns voiced by the commenters regarding our proposed two year period and would not reduce the administrative burden of having to track or learn dates of death. We believe that the policy in this final rule extending protections for as long as the covered entity maintains the information addresses commenter concerns regarding the need for increased protections on the protected health information about the deceased.

Comment: Some commenters asserted that information on the decedent from the death certificate is important for assessment and research purposes and requested that the Department clarify accordingly that death certificate data be allowed for use in traditional public health assessment activities.

Response: Nothing in the final rule impedes reporting of death by covered entities as required or authorized by other laws, or access to death certificate data to the extent that such data is available publicly from non-covered entities. Death certificate data maintained by a covered entity is protected health information and must only be used or disclosed by a covered entity in accordance with the requirements of this regulation. However, the final rule permits a covered entity to disclose protected health information about a deceased individual for research purposes without authorization and absent IRB or privacy board approval.

Comment: A few commenters asked that we include in the regulation a mechanism to provide for notification of date of death. These commenters questioned how a covered entity or business partner would be notified of a death and subsequently be able to determine whether the two-year period of protection had expired and if they were permitted to use or disclose the protected health information about the deceased. One commenter further stated that absent such a mechanism, a covered entity would continue to protect the information as if the individual were still living. This commenter recommended that the burden for providing notification and confirmation of death be placed on any authorized entity requesting information from the covered entity beyond the two-year period.

Response: In general, such notification is no longer necessary as, except for uses and disclosures for research purposes, the final rule protects the protected health information about a deceased individual for as long as the covered entity holds the record. With regard to uses and disclosures for research, the researcher must provide covered entities with appropriate documentation of proof of death, the burden is not on the covered entity.

Comment: A few commenters pointed to the sensitivity of genetic and hereditary information and its potential impact on the privacy of living relatives as a reason for extending protections on the information about deceased individuals for as long as the covered entity maintains the information. However, a few commenters recommended additional protections for genetic and hereditary information. For example, one commenter suggested that researchers should be able to use sensitive information of the deceased but then be required to publish findings in de-identified form. Another commenter recommended that protected health information about a deceased individual be protected as long as it implicates health problems that could be developed by living relatives.

Response: We agree with many of the commenters regarding the sensitivity of genetic or hereditary information and, in part for this reason, extended protections on the protected health information of deceased individuals. Our reasons for retaining the exception for research are explained above.

We agree with and support the practice of publishing research findings in de-identified form. However, we cannot regulate researchers who are not otherwise covered entities in this regulation.

Comment: One commenter asked that the final rule allow for disclosure of protected health information to funeral directors as necessary for facilitating funeral and disposition arrangements. The commenter believed that our proposal could seriously disrupt a family's ability to make funeral arrangements as hospitals, hospices, and other health care providers would not be allowed to disclose the time of death and other similar information critical to funeral directors for funeral preparation. The commenter also noted that funeral directors are already precluded by state licensing regulations and ethical standards from inappropriately disclosing confidential information about the deceased.

Further, the commenter stated that funeral directors have legitimate needs for protected health information of the deceased or of an individual when death is anticipated. For example, often funeral directors are contacted when death is foreseen in order to begin the process of planning funeral arrangements and prevent unnecessary delays. In addition, the embalming of the body is affected by the medical condition of the body.

In addition, it was noted that funeral directors need to be aware of the presence of a contagious or infectious disease in order to properly advise family members of funeral and disposition options and how they may be affected by state law. For example, certain states may prohibit cremation of remains for a certain period unless the death was caused by a contagious or infectious disease, or prohibit family members from assisting in preparing the body for disposition if there is a risk of transmitting a communicable disease from the corpse.

Response: We agree that disclosures to funeral directors for the above purposes should be allowed. Accordingly, the final rule at § 164.512(g)(2) permits covered entities to disclose protected health information to funeral directors, consistent with applicable law, as necessary to carry out their duties with respect to the decedent. Such disclosures are also permitted prior to, and in reasonable anticipation of, the individual's death.

Comment: Several commenters urged that the proposed standard for deceased individuals be clarified to allow access by a family member who has demonstrated a legitimate health-related reason for seeking the information when there is no executor, administrator, or other person authorized under applicable law to exercise the right of access of the individual.

Another commenter asked that the rule differentiate between blood relatives and family members and address their different access concerns, such as with genetic information versus information about transmittable diseases. They also recommended that the regulation allow access to protected health information by blood-related relatives prior to the end of the two-year period and provide them with the authority to extend the proposed two-year period of protection if they see fit. Lastly, the commenter suggested that the regulation address the concept of when the next-of-kin may not be appropriate to control a deceased person's health information.

Response: We agree that family members may need access to the protected health information of a deceased individual, and this regulation permits such disclosure in two ways. First, a family member may qualify as a "personal representative" of the individual (see § 164.502(g)). Personal representatives include anyone who has authority to act on behalf of a deceased individual or such individual's estate, not just legally-appointed executors. We also allow disclosure of protected health information to health care providers for purposes of treatment, including treatment of persons other than the individual. Thus, where protected health information about a deceased person is relevant to the treatment of a family member, the family member's physician may obtain that information. Because we limit these disclosures to disclosures for treatment purposes, there is no need to distinguish between disclosure of information about communicable diseases and disclosure of genetic information.

With regard to fitness to control information, we defer to existing state and other laws that address this matter.

Comment: It was observed that under the proposed regulation, legal representatives with "power of attorney" for matters unrelated to health care would have unauthorized access to confidential medical records. Commenters recommended that access to a person's protected health information be limited to those representatives with a "power of attorney" for health care matters only. Related comments asked that the rule limit the definition of "power of attorney" to include only those instruments granting specific power to deal with health care functions and health care records.

Response: We have deleted the reference to "power of attorney." Under the final rule, a person is a personal representative of a living individual if, under applicable law, such person has authority to act on behalf of an individual in making decisions related to health care. "Decisions relating to health care" is broader than consenting to treatment on behalf of an individual; for example, it would include decisions relating to payment for health care. We clarify that the rights and authorities of a personal representative under this rule are limited to protected health information relevant to the rights of the person to make decisions about an individual under other law. For example, if a husband has the authority only to make health care decisions about his wife in an emergency, he would have the right to access protected health information related to that emergency, but he may not have the right to access information about treatment that she had received ten years ago.

We note that the rule for deceased individuals differs from that of living individuals. A person may be a personal representative of a deceased individual if they have the authority to act on behalf of such individual or such individual's estate for any decision, not only decisions related to health care. We create a broader scope for a person who is a personal representative of a deceased individual because the deceased individual can not request that information be disclosed pursuant to an authorization, whereas a living individual can do so.

Comment: Some commenters asked that the NPRM provision allowing informal decision-makers access to the protected health information of an incapacitated individual should be maintained in the final rule.

Response: We agree with the commenters, and retain permission for covered entities to share protected health information with informal decision makers, under conditions specified in § 164.510(b). A person need not be a personal representative for such disclosure of protected health information to be made to an informal decision-maker.

Comment: Commenters urged that individuals with mental retardation, who can provide verbal agreement or authorization, should have control over dissemination of their protected health information, in order to increase the privacy rights of such individuals.

Response: Individuals with mental retardation have control over dissemination of their protected health information under this rule to the extent that state law provides such individuals with the capacity to act on their own behalf. We note that a covered entity need not disclose information pursuant to a consent or authorization. Therefore, even if state law determines that an individual with mental retardation is not competent to act and a personal representative provides authorization for a disclosure, a covered entity may choose not to disclose such information if the individual who lacks capacity to act expresses his or her desire that such information not be disclosed.

Comment: A commenter suggested that the final rule should provide health plans with a set of criteria for formally identifying an incapacitated individual's decision-maker. Such criteria would give guidance to health plans that would help in not releasing information to the wrong person.

Response: The determination about who is a personal representative under this rule is based on state or other applicable law. We require that a covered entity verify the authority of a personal representative, in accordance with § 164.514(h) in order to disclose information to such person.

Comment: Commenters were troubled by the inclusion of minors in the definition of "individual" and believed that the presumption should be that parents have the right to care for their children.

Response: We agree that a parent should have access to the protected health information about their unemancipated minor children, except in limited circumstances based on state law. The approach in the final rule helps clarify this policy. The definition of "individual" is simplified in the final rule to "the person who is the subject of protected health information." (§ 164.501). We created a new section (§ 164.502(g)) to address "personal representatives," which includes parents and guardians of unemancipated minors. Generally, we provide that if under applicable law a parent has authority to act on behalf of an unemancipated minor in making decisions relating to health care about the minor, a covered entity must treat the parent as the personal representative with respect to protected health information relevant to such personal representation. The regulation provides only three limited exceptions to this rule based upon current state law and physician practice.

Comment: Many commenters agreed with our approach in the NPRM to give minors who may lawfully access health care the rights to control the protected health information related to such health care.

Several commenters disagreed with this approach and recommended that where states allow minors too much independence from parents, the rule should not defer to state law. One commenter suggested that we give an individual the right to control protected health information only when the individual reaches the age of majority.

Response: In the final rule, the parent, as the personal representative of a minor child, controls the protected health information about the minor, except that the parent does not act as a personal representative of the minor under the rule in three limited circumstances based on state consent law and physician practice. The final rule defers to consent laws of each state and does not attempt to evaluate the amount of control a state gives to a parent or minor. If a state provides an alternative means for a minor to obtain health care, other than with the consent of a parent, this rule preserves the system put in place by the state.

The first two exceptions, whereby a parent is not the personal representative for the minor and the minor can act for himself or herself under the rule, occur if the minor consents to a health care service, and no other consent to such health care service is required by law, or when the minor may lawfully obtain a health care service without the consent of a parent, and the minor, a court, or another person authorized by law consents to such service. The third exception is based on guidelines of the American Pediatric Association, current practice, and agreement by parents. If a parent assents to an agreement of confidentiality between a covered provider and a minor with respect to a health care service, the parent is not the personal representative of the minor with respect to the protected health information created or received subject to that confidentiality agreement. In such circumstances, the minor would have the authority to act as an individual, with respect to such protected health information.

Comment: Some commenters requested that we permit minors to exercise the rights of an individual when applicable law requires parental notification as opposed to parental consent.

Response: We adopt this policy in the final rule. If the minor consents to a health care service, and no other consent to such health care service is required by law, regardless of whether the consent of another person has also been obtained or notification to another person has been given, only the minor may be treated as the individual with respect to the protected health information relating to such health care service. The rule does not affect state law that authorizes or requires notification to a parent of a minor's decision to obtain a health care service to the extent authorized or required by such law. In addition, state parental notification laws do not affect the rights of minors under this regulation.

Comment: Some commenters requested clarification that when a minor may obtain a health care service without parental consent and voluntarily chooses to involve a parent, the minor retains the rights, authorities and confidentiality protections established in this rule.

Response: We agree that minors should be encouraged to voluntarily involve a parent or other responsible adult in their health care decisions. The rule is not intended to require that minors choose between involving a parent and maintaining confidentiality protections. We have added language in § 164.502(g)(3)(i) to clarify that when a minor consents to a health care service and no other consent is required by law, if the minor voluntarily chooses to involve a parent or other adult, the minor nonetheless maintains the exclusive ability to exercise their rights under the rule. This is true even if a parent or other person also has consented to the health care service for which the minor lawfully consented. Under the rule, a minor may involve a parent and still preserve the confidentiality of their protected health information. In addition, a minor may choose to have a parent act as his or her personal representative even if the minor could act on his or her own behalf under the rule. If the minor requests that a covered entity treat a parent as his or her personal representative, the covered entity must treat such person as the minor's personal representative even if the minor consents to a health care service and no other consent to such health care service is required by law.

Comment: Some commenters requested that the rule provide for the preservation of patient confidences if a health care provider and a minor patient enter into an agreement of confidentiality and a parent assents to this arrangement.

Response: We have addressed this concern in the final rule by adding a provision that ensures that a minor maintains the confidentiality protections provided by the rule for information that is created or received pursuant to a confidential communication between a provider and a minor when the minor's parent assents to an agreement of confidentiality between the provider and the minor. (§ 164.502(g)(3)(ii)). The American Academy of Pediatrics Guidelines for Health Supervision III, which are meant to serve as "a framework to help clinicians focus on important issues at developmentally appropriate time intervals," recommends that physicians interview children alone beginning at the age of twelve (or as early as the age of ten if it is comfortable for the child). This recommendation is based on the fact that adolescents tend to underutilize existing health care resources, in part, because of a concern for confidentiality. 7 The recommended interview technique in the Guidelines states that the provider discuss the rules of confidentiality with the adolescent and the parent and that the adolescent's confidentiality should be respected. We do not intend to interfere with these established protocols or current practices. Covered entities will need to establish procedures to separate protected health information over which the minor maintains control from protected health information with respect to which the minor's parent has rights as a personal representative of the minor.

A covered provider may disclose protected health information to a parent, regardless of a confidentiality agreement, if there is an imminent threat to the minor or another person, in accordance with § 164.512(j)(1)(i).

Comment: Several commenters suggested that we add a provision in the final rule to provide minors and parents with concurrent rights under certain circumstances, particularly when the minor reaches 16 years of age or when a parent authorizes his or her minor child to exercise these rights concurrently.

Response: We do not add such provision in the final rule. We believe that establishing concurrent rights through this rule could result in problems that effect the quality of health care if the minor and the parent were to disagree on the exercise of their rights. The rule would not prevent a parent from allowing a minor child to make decisions about his or her protected health information and acting consistently with the minor's decision. In all cases, either the parent has the right to act for the individual with respect to protected health information, or the minor has the right to act for himself or herself. The rule does not establish concurrent rights for parents and minors.

Comment: Commenters requested clarification about the rights of an adult or emancipated minor with respect to protected health information concerning health care services rendered while the person was an unemancipated minor.

Response: Once a minor becomes emancipated or attains the age of majority, as determined by applicable state law, the parent is no longer the personal representative under § 164.502(g)(3) of such individual, unless the parent has the authority to act on behalf of the individual for some reason other than their authority as a parent. An adult or emancipated minor has rights under the rule with respect to all protected health information about them, including information obtained while the individual was an unemancipated minor.

Comment: One commenter pointed out that language in the definition of individual in the NPRM that grants a minor the rights of an individual when he or she "lawfully receives care without the consent of, or notification to, a parent . . ." would have the effect of granting rights to an infant minor who receives emergency care when the parent is not available.

Response: This result was not our intent. We have changed the language in § 164.502(g)(3)(i) of the final rule to provide a minor the right to act as an individual when the minor can obtain care without the consent of a parent and the minor consents to such care. Because an infant treated in an emergency situation would not be able to consent to care, the infant's parent would be treated as the personal representative of the infant. Section 164.502(g)(3)(ii) provides that the parent is not the personal representative of the minor under the rule if the minor may obtain health care without the consent of a parent and the minor, a court, or another person authorized by law consents to such service. If an infant obtains emergency care without the consent of a parent, a health care provider may provide such care without consent to treatment. This situation would fall outside the second exception, and the parent would remain the personal representative of the minor.

Comment: Commenters were concerned about the interaction of this rule with FERPA with respect to parents' right to access the medical records of their children.

Response: We direct the commenters to a discussion of the interaction between our rule and FERPA in the "Relationship to Other Federal Laws" section of the preamble.

Comments: Some commenters wanted to see more limitations put on the ability to whistleblow in the final rule. These commenters were concerned about how disclosed protected health information would be used during and subsequent to the whistleblowing event and felt that adding additional limitations to the ability to whistleblow would help to alleviate these concerns. Some of these commenters were concerned that there was no protection against information later being leaked to the public or re-released after the initial whistleblowing event, and that this could put covered entities in violation of the law. Many commenters wanted to see the whistleblower provision deleted entirely. According to a number of health care associations who commented on this topic, current practices already include adequate mechanisms for informing law enforcement, oversight and legal counsel of possible violations without the need for patient identifiable information; thus, the provision allowing whistleblowers to share protected health information is unnecessary. Additionally, some commenters felt that the covered entity needs to be allowed to prohibit disclosures outside of legitimate processes. Some commenters were concerned about not having any recourse if the whistleblower's suspicions were unfounded.

Response: In this rule, we do not regulate the activities of whistleblowers. Rather, we regulate the activities of covered entities, and determine when they may be held responsible under this rule for whistleblowing activities of their workforce or business associates when that whistleblowing involves the disclosure of protected health information. Similarly, we regulate when covered entities must and need not sanction their workforce who disclose protected health information in violation of the covered entity's policies and procedures, when that disclosure is for whistleblowing purposes. See § 164.530(e). This rule does not address a covered entity's recourse against a whistleblower under other applicable law.

We do not hold covered entities responsible under this rule for whistleblowing disclosures of protected health information under the circumstances described in § 164.502(j). Our purpose in including this provision is to make clear that we are not erecting a new barrier to whistleblowing, and that covered entities may not use this rule as a mechanism for sanctioning workforce members or business associates for whistleblowing activity. We do not find convincing commenters' arguments for narrowing or eliminating the scope of the whistleblowing which triggers this protection.

Congress, as well as several states, have recognized the importance of whistleblower activity to help identify fraud and mismanagement and protect the public's health and safety. Whistleblowers, by their unique insider position, have access to critical information not otherwise easily attainable by oversight and enforcement organizations.

While we recognize that in many instances, de-identified or anonymous information can be used to accomplish whistleblower objectives, there are instances, especially involving patient care and billing, where this may not be feasible. Oversight investigative agencies such as the Department of Justice rely on identifiable information in order to issue subpoenas that are enforceable. Relevant court standards require the government agency issuing the subpoena to explain why the specific records requested are relevant to the subject of the investigation, and without such an explanation the subpoena will be quashed. Issuing a subpoena for large quantities of individual records to find a few records involving fraud is cost prohibitive as well as likely being unenforceable.

We note that any subsequent inappropriate disclosure by a recipient of whistleblower information would not put the covered entity in violation of this rule, since the subsequent disclosure is not covered by this regulation.

Comments: A few commenters felt that the whistleblower should be held to a "reasonableness standard" rather than a "belief" that a violation has taken place before engaging in whistleblower activities. The commenters felt that a belief standard is too subjective. By holding the whistleblower to this higher standard, this would serve to protect protected health information from being arbitrarily released. Some commenters saw the whistleblower provision as a loophole that gives too much power to disgruntled employees to inappropriately release information in order cause problems for the employer.

On the other hand, some commenters felt that all suspicious activities should be reported. This would ease potential whistleblowers concerns over whether or not they had a legitimate concern by leaving this decision up to someone else. A number of commenters felt that employees should be encouraged to report violations of professional or clinical standards, or when a patient, employee, or the public would be put at risk. A small number of commenters felt that the whistleblower should raise the issue within the covered entity before going to the attorney, oversight agency, or law enforcement entity.

Response: We do not attempt to regulate the conduct of whistleblowers in this rule. We address uses and disclosures of protected health information by covered entities, and when a covered entity will violate this rule due to the actions of a workforce member or business associate. In the final rule, we provide that a covered entity is not in violation of the rule when a workforce member or business associate has a good faith belief that the conduct being reported is unlawful or otherwise violates professional or clinical standards, or potentially endangers patients, employees or the public. We concur that the NPRM language requiring only a "belief" was insufficient. Consequently, we have strengthened the standard to require a good faith belief that an inappropriate behavior has occurred.

Comment: A number of commenters believe that employees should be encouraged to report violations of professional or clinical standards, or report situations where patients, employees, or the public would be put at risk. Their contention is that employees, especially health care employees, may not know whether the problem they have encountered meets a legal threshold of wrongdoing, putting them at jeopardy of sanction if they are incorrect, even if the behavior did reflect violation of professional and clinical standards or put patients, employees, or the public at risk.

Response: We agree that covered entities should be protected when their employees and others engage in the conduct described by these commenters. We therefore modify the proposal to protect covered entities when the whistleblowing relates to violations of professional or clinical standards, or situations where the public may be at risk, and eliminate the reference to "evidence."

Comments: A significant number of those commenting on the whistleblower provision felt that this provision was contrary to the rest of the rule. Whistleblowers could very easily release protected health information under this provision despite the fact that the rest of this rule works very hard to ensure privacy of protected health information in all other contexts. To this end, some commenters felt that whistleblowers should not be exempt from the minimum necessary requirement.

Response: As stated above, we do not regulate the conduct of whistleblowers. We discuss above the importance of whistleblowing, and our intention not to erect a new barrier to such activity. The minimum necessary standard applies to covered entities, not to whistleblowers.

Comments: Some commenters felt that disclosures of suspected violations should only be made to a law enforcement official or oversight agency. Other commenters said that whistleblowers should be able to disclose their concerns to long-term care ombudsmen or health care accreditation organizations, particularly because certain protected health information may contain evidence of abuse. Some commenters felt that whistleblowers should not be allowed to freely disclose information to attorneys. They felt that this may cause more lawsuits within the health care industry and be costly to providers. Furthermore, allowing whistleblowers to go to attorneys increases the number of people who have protected health information without any jurisdiction for the Secretary to do anything to protect this information.

Response: We agree with the commenters who suggested that we recognize other appropriate entities to which workforce members and business associates might reasonably make a whistleblowing disclosure. In the final rule we expand the provision to protect covered entities for disclosures of protected health information made to accreditation organizations by whistleblowers. We agree with the commenters that whistleblowers may see these organizations as appropriate recipients of health information, and do not believe that covered entities should be penalized for such conduct.

We also agree that covered entities should be protected when whistleblowers disclose protected health information to any health oversight agency authorized by law to investigate or oversee the conditions of the covered entity, including state Long-Term Care Ombudsmen appointed in accordance with the Older Americans Act. Among their mandated responsibilities is their duty to identify, investigate and resolve complaints that are made by, or on behalf of, residents related to their health, safety, welfare, or rights. Nursing home staff often bring complaints regarding substandard care or abuse to ombudsmen. Ombudsmen provide a potentially more attractive outlet for whistleblowers since resolution of problems may be handled short of legal action or formal investigation by an oversight agency.

We disagree with commenters that the provision permitting disclosures to attorneys is too broad. Workforce members or business associates may not understand their legal options or their legal exposure when they come into possession of information about unlawful or other inappropriate or dangerous conduct. Permitting potential whistleblowers to consult an attorney provides them with a better understanding of their legal options. We rephrase the provision to improve its clarity.

Comment: One commenter suggested that a notice of information practices that omits disclosure for voluntary reporting of fraud will chill internal whistleblowers who will be led to believe - falsely - that they would violate federal privacy law, and be lawfully subject to sanction by their employer, if they reported fraud to health oversight agencies.

Response: The notice of information practices describes a covered entity's information practices. A covered entity does not make whistleblower disclosures of protected health information, nor can it be expected to anticipate any such disclosures by its workforce.

Comment: One commenter suggested that the whistleblower provisions could allow covered entities to make illegal disclosures to police through the back door by having an employee who believes there is a violation of law do the disclosing. Any law could have been violated and the violator could be anyone (a patient, a member of the patient's family, etc.)

Response: We have eliminated whistleblower disclosures for law enforcement purposes from the list of circumstances in which the covered entity will be protected under this rule. This provision is intended to protect the covered entity when a member of its workforce or a business associate discloses protect health information to whistleblow on the covered entity (or its business associates); it is not intended for disclosures of conduct by the individual who is the subject of the information or third parties.

Survey Disclaimer

According to the Paperwork Reduction Act of 1995, no persons are required to respond to a collection of information unless it displays a valid OMB control number. The valid OMB control number for this information collection is 0990-0379. The time required to complete this information collection is estimated to average 5 minutes per response, including the time to review instructions, search existing data resources, gather the data needed, and complete and review the information collection. If you have comments concerning the accuracy of the time estimate(s) or suggestions for improving this form, please write to: U.S. Department of Health & Human Services, OS/OCIO/PRA, 200 Independence Ave., S.W., Suite 336-E, Washington D.C. 20201, Attention: PRA Reports Clearance Officer.